An Overview of the Current State-Based Privacy Legislation
State legislation continues to be a driving force behind the changing privacy law landscape in the United States. Throughout the first quarter of 2022 so far, we have seen advances in state privacy legislation with new bills being introduced or older legislation being carried over from 2021 on almost a weekly basis. As we saw last year in both Virginia and Colorado, comprehensive state privacy laws can be passed quickly and, while the laws themselves usually have several months to years of lead time before going into effect, companies must still pivot their forward-looking strategies to account for new state privacy law compliance requirements.
Where We Are
Privacy-related legislation has been introduced or carried over from previous legislative sessions in 24 states, including Alaska, Arizona, Florida, Georgia, Hawaii, Indiana, Iowa, Kentucky, Maine, Maryland, Massachusetts, Minnesota, Nebraska, New Jersey, New York, North Carolina, Ohio, Oklahoma, Pennsylvania, Vermont, Washington, West Virginia, and Wisconsin. In Mississippi, the “Mississippi Consumer Data Privacy Act” was introduced, but died in committee.
While most of the legislation remains in committee, a few bills – including SB 358 in Indiana and HB 1602, commonly referred to as the “Oklahoma Computer Data Privacy Act” – have moved into cross-committee discussions advancing them one step further to become laws.
As we have seen in the past, many bill sponsors are looking to other states’ enacted laws for inspiration. For example, recently introduced legislation in Maine (SP 713/LD 1982) and Maryland (SB 11) closely resembles the California Consumer Privacy Act (“CCPA”), as amended by the California Privacy Rights Act (“CPRA”). An even greater number of bills are currently aligning with the Virginia Consumer Data Protection Act (“VCDPA”), including those in Indiana (SB 358), Iowa (HSB 674), Utah (SB 227), Wisconsin (AB 957 and SB 957), and Pennsylvania (HB 2257). Finally, one of the two bills introduced in Florida resembles the Colorado Privacy Act.
Some state legislation also appears to be taking a piecemeal approach and pulling certain details from several of the current laws. For example, legislation in Kentucky is combining elements of the VCDPA and Colorado Privacy Act, while legislation in Massachusetts appears to be pulling from the CPRA, VCDPA, Colorado Privacy Act and also the General Data Protection Regulation (“GDPR”). Finally, three separate bills have been introduced in Hawaii all resembling slightly different elements of the CPRA and VCDPA.
Across the Board, a Consistent Focus on Consumer Rights
While the legislation proposed in these states may differ in many ways, one consistent theme is creating more robust consumer rights related to their data. For instance, nearly all of the proposed legislation includes the right of consumers to access and delete their personal information. Similarly, most of the bills include the consumer right to opt-out of the sale of personal information (or a requirement that consumers opt in to the sale of data as included in bill introduced in Georgia, Massachusetts, New Jersey, Oklahoma, and Washington).
Each of the bills introduced up to this point have also included specific requirements on businesses to provide notice to consumers of the collection of personal information and to have a specified purpose and limitation on the collection and use of that personal information.
What Companies Can Do to Prepare
It is difficult for anyone to predict which, if any, of these bills will become law, however, as companies work toward compliance with the CA, VA and CO laws that go into effect in 2023, it makes sense to think about how to implement some fundamental privacy principles and compliance activities that can accommodate new statutory requirements.
At a minimum, companies should do the following to prepare for the inevitable changes that will occur as more states adopt data protection laws:
- Provide Clear Privacy Notices. Ensuring their privacy policies are up-to-date, not only with regard to compliance with current laws, but also to provide as much transparency as possible with regard to what data is collected and how it is used and shared.
- Configure Systems to Allow for Consumer Rights Requests. While not all states provide the rights to access and deletion, companies should make an effort to understand how they would respond to these requests (including from both a process and technical perspective) if/when they are required to provide consumers these rights in the future. If you are a company that has already created a consumer rights request process under CCPA or another law, how can that be expanded to accommodate requests from other states if needed?
- Understand Where you “Sell” Data. Again, not all states require companies to allow people to opt out of the sale of data, but given the increasing focus on this across so many states, understanding where a company potentially sells personal data can make it easier to comply with required opt-ins and opt-outs in the future.